Cybersecurity skills shortage, is it real?

So you in Cybersecurity, and your company has been trying so hard to find qualified Cybersecurity candidates but without much success. Your company is frustrated by the lack of qualified candidates, and the qualified candidates seem to ask for unrealistic $$$

You even interviewed some candidates and you did not like what you see.

My question is....

1) What skills are you actually looking for? Splunk? Nessus? Risk assessment? Penetration testers with OSCP? Candidates who passed GCFA and can do Memory Forensics?

2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?

3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?

I'm just trying to understand, because I spent time in Systems Engineering and various parts of Security, and I didn't find Cybersecurity particularly harder so I'm trying to identify the source of the problem here.

Goal: GCFA (DONE), GPEN (DONE)

"Never stop learning and every time you are doing something mindless...you could be learning something new." Eric Conrad

1 - I print the new job descriptions in my area and laugh at them with my coworkers. Every job description wants a $50-$75k/yr entry-to-mid-level security person who is in charge of antivirus, edr, web filter, dlp, fde, ips, siem, AD, email filter, etc. after a few months the job listings come down, unfilled. I'm fortunate enough that I work at a large enough company that our job descriptions are pretty role-specific, so any of my analysts only oversee one or two infosec areas, ensuring that we get as deep technically-speaking as we can. in my opinion it's impossible for an infosec generalist to do any halfway decent job of managing 15 different systems and processes. if i were a consultant, i'd tell most companies in my area to rip out most of their blinky light boxes and get a guy who's really good at improving processes before buying any fancy expensive appliances or cloud mssps.

2 - if it's a full time dedicated person who has the technical ability to work with splunk, i'd give them 2-3 years to be good with it. splunk gets deep and all depends on the log sources. cisco's logs are way different to bring in and manipulate that nessus' logs.

3 - everybody is unrealistic in their expectations, but that's because the people hiring don't know anything about security. they think they can treat it just like any other entry-to-mid-level IT job, and that's so far from the truth to do it effectively nowadays. IMO, to be good at infosec you need to live and breath the specific area you work in. a network engineer just can't do a 3-month job rotation with an infosec engineer and be any good at the job. plus during those 3 months he's trying to learn splunk you are effectively defenseless, and who the heck wants that!??!

So when I was in the Unix world, some places required proficiency with sendmail, Bind, symantec netbackup, and Vertias cluster. Those are (in my opinion) obscure products and have a more difficult learning curve than an Enterprise AV or a DLP. Candidates were not expected to be experts in all of those, and as an engineer, you were expected to read the manuals, man pages, forums, etc to get yourself up to speed.

The same can be (and I'm still trying to form an opinion on this) applied to security. I still don't see the whole 'Cyber skills shortage'. There are so many network/systems engineers who would make a great InfoSec professionals if they're given the chance, and I found them to be a lot more competent than some of the InfoSec pros who have only done InfoSec (but that's a topic for another day).

For what it's worth, my last 4 jobs I met 40% of the skills listed in the job description, and it took me about 6 weeks to get up to speed and get bored out of my mind. Those are not skills, they're just familiarity with a certain GUI or process or whatever

Goal: GCFA (DONE), GPEN (DONE)

"Never stop learning and every time you are doing something mindless...you could be learning something new." Eric Conrad

I'm on the analysis side of things, and yes I would say there is a skills gap in this area. How long it might take someone to learn to push buttons in Splunk shouldn't be the concern in my opinion. I believe the first order of business is to identify candidates that understand the data itself and have critical thinking skills. In my experience it's trivial to add and comprehend tooling on top of that.

I've worked in a myriad of environments over the years and I can say very few teams are capable of consistently performing analysis at a high level, let alone doing it at scale. I'm also noticing a concerning trend involving the over-reliance on newer high-capability tooling, especially in the EDR space. Take away a team's EDR visibility, or Splunk, and more often than not you'll see an investigation come to a screeching halt. Fundamental disciplines such as data collection, evidence handling, and alternate methods of processing evidence seem to have fallen to the wayside.

This is problematic because the most meaningful breaches typically won't take place the way we want them to; on systems with perfect monitoring, healthy agents, and with evidence readily provided to us in real time. Especially in larger environments, we often have security-related issues because a system fell through the cracks and wasn't patched, or <insert security tool here> stopped working and we didn't know about it until it was too late. Being dynamic and resilient is very important in this respect, and we need to resist the urge to get comfortable with off-the-shelf solutions. But this isn't happening.

One last thing I'd like to add here: I also think we have a significant leadership skills gap in the industry. We have upper-management going to vendor-run security conferences and returning to the office with a bag full of buzzwords. These buzzwords get thrown around in a meeting or two, and somehow they end up driving policy and lead to frivolous spending. It's a huge problem. I believe the most complete solutions to security issues lie within, and in the data. I'd like to see more organizations look inward than reaching for the newest button to push.

@YFZblu: you raise excellent point mate!!! I'm in complete agreement with you

but I think this more or less what I'm thinking....so you said the skills needed are 'data collection, critical thinking, evidence handling, being thorough,...etc' rather than specific tooling. That's exactly what I think too, and this the reason why I think experienced Network/System Engineers are perfect for this because they have most of this and some more

but come interview time, and they cyber experts jump on asking specific tool questions...I signaled out splunk because I've seen SO MANY cyber jobs that were nothing but Splunk button pushing - not that it's a small task, it's just nothing special in the sense that any capable engineer should pick this skill up.

I 100% agree that the problem is leadership and management, too much focus on off-the shelf tools and staff who have tools on their CV, rather than leveraging experienced IT folks who may not have the tools yet, but are more than capable of picking them up.

Goal: GCFA (DONE), GPEN (DONE)

"Never stop learning and every time you are doing something mindless...you could be learning something new." Eric Conrad

Like most things it's a balance - you'd definitely want strong investigators leading the team, but I do agree that incorporating engineering staff has benefits, especially in-house engineering staff who have experienced the environment in a completely different context and add a new perspective. But would talented Engineers feel comfortable moving to an operational role? I guess it would have to be judged case-by-case.

1) What skills are you actually looking for? Splunk? Nessus? Risk assessment? Penetration testers with OSCP? Candidates who passed GCFA and can do Memory Forensics?

this depend on the job opening. A lot of people who are in cybersec that is already doing this day by day dont even have certs. the people who has certs usually have cissp. a lot of cissp are not event technical at all. they create policies. there is a big misconception that cissp guys are expected to know everything cybersec.

2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?

you can deploy splunk at your home lab and learn from it. it will close the gaps. a lot of people just double click even with using splunk.

3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?

in production, they have a guy who deals with nessus, another guy or group who deals with risk assessment, pen testers are usually outsourced, forensics are dealt with 1 or 2 guys depending on how big the company is. separation of duties...

The skills gap is absolutely real, laws of supply and demand are skewing some salary requests too. I know in my dept I have a need now, I got approval to start looking in 2019, I explained that it can easily take 6 months to find a good person, before even started to train them on all the company and tool specifics. My mindset went from "oh great I might get some more help soon!" to "oh, might be able to get someone to actually helpful in 2020" I have friends at partner companies who have been trying to fill more unicorn type positions for a year+ without luck. I did a long rant here awhile back trying to fill even a Jr analyst position, it wasn't fun.

For your questions:

1. It depends but I tend to go less hardcore on the actual tool requirements as we're a smaller dept and I need more for a generalist. I use Nexpose, if someone knows how to use Nessus, great, if they use something else, also great, they can learn a different tool with the same concept.

2. Splunk is a thing, and people who want Splunk don't seem to one someone who is someone is good in ArcSight so it's going to be much more difficult to say "I want a splunk expert" vs "I want someone who understands log collection and correlation".

3. Anyone smart enough with a strong enough background can usually pickup anything, but do they need to? If you're expecting a network engineer to do that as one of their tasks, then I wouldn't expect that. But if you're expecting a good sysadmin to be able to learn security tasks and step into a security job, then why not? Most people transition into security, they aren't born there.

What are you really looking for? Or should be? Experience, but not in Cyber-security, in IT. Cyber-security really isn't a entry level job, you need to have a decent base in other areas of IT first, only then are you really qualified for entry level Cyber Security. As for starting salaries, it should be in the 70k+ range minimum. Your not going to get someone decent at Cyber Security paying 50k a year.

CyberSec today reminds me of systems skills in the late 90s. A huge demand, unrealistic job requirements (in 2001, job requirements asking for five-years of exp with Windows 2000, etc.) and a bunch of applicants who could barely spell their job title, never mind excel in it. The largest problem are those managers who, after getting burned, think that a paperwork exercise will prevent them from getting burned in the future.

CyberSec today reminds me of systems skills in the late 90s. A huge demand, unrealistic job requirements (in 2001, job requirements asking for five-years of exp with Windows 2000, etc.) and a bunch of applicants who could barely spell their job title, never mind excel in it. The largest problem are those managers who, after getting burned, think that a paperwork exercise will prevent them from getting burned in the future.

That Windows 2000 comment nearly made me spit out my coffee. Good stuff. It's a little sad though because its true. I once saw an infosec job posted at my organization that was basically asking for high levels of experience in almost every aspect of infosec and for some unknown reason years of professional experience in higher ed, building design, marketing, advertising, and economics. Needless to say they didn't end up filling that position...

It's definitely real, but employers are unrealistic with their requirements. They want the perfect candidates when most of those don't even exist and if they do, they probably can't afford them. Lot of good things happening though to bring up a new generation of security pro's. Getting more women in tech and offering more school programs will certainly help. Diversity is a great thing for the industry.

.... I have a need now, I got approval to start looking in 2019, I explained that it can easily take 6 months to find a good person, before even started to train them on all the company and tool specifics. My mindset went from "oh great I might get some more help soon!" to "oh, might be able to get someone to actually helpful in 2020" I have friends at partner companies who have been trying to fill more unicorn type positions for a year+ without luck.

Are you able to share the skills that you are after? it would be helpful for us to see, and perhaps find a solution.

Goal: GCFA (DONE), GPEN (DONE)

"Never stop learning and every time you are doing something mindless...you could be learning something new." Eric Conrad

I think the skills gap is the industry's own making. When I look at infosec job listings in my area, almost all of them describe senior level positions. No one wants to train. So what happens in an industry if you only demand senior level people and are never willing to train junior levels? Eventually you run out of candidates.

As others have stated, my view of the cybersecurity field has been all wanting senior level people at entry level pricing. We have schools pumping out cybersecurity graduates like they're going out of style and yet somehow we are still short. I'd agree you need IT experience before jumping into the waters, but most programs (at the undergrad level) are balanced thus you are getting a base in technology that would allow you to work in IT to get that experience.

Ultimately, in a perfect world, I'd like to see cybersecurity as a field go in a trade like fashion. You get in, but you're an apprentice tied to someone and learning the jobs skills. You're doing some of the menial tasks that we'd all rather not do, but at the same time getting bits and pieces of security. Steadily you rise up the ranks and eventually you're a full fledged cybersecurity person. Most cybersecurity shops I've worked in we've maintained our own systems, meaning system administration had to take place. Perfect starting point for a new cybersecurity grad to get technical skills while still being part of the team.

Are you able to share the skills that you are after? it would be helpful for us to see, and perhaps find a solution.

I think that answer is different for everyone, even for different positions within the same company. For the last job I had to fill, was more a Jr level, and I know we all argue about this here, but I consider Jr level in security be someone who already has IT experience, but less actual security experience. Someone who shows up and says, oh you're looking for vulnerability management, I can learn that! But, if that same person doesn't know enough networking to know how the systems connect, different subnets, etc., doesn't know enough of Windows domains to understand GPOs, patching cycles, reasonable AD, basic hardening, etc. Then they're not as valuable to me as for someone to handle a vuln management type of job.

The general idea I tried to get to in my other post was that bigger concepts are more important to me than exact specifics, if I had a bigger group I'd be more concerned about the specifics as they could silo more. But if you've done X firewalls, and know firewall rules, and I use fortinet instead of cisco, well OK, you can probably learn that reasonably fast. I ended up hiring someone who was a higher level desktop support person but was also the go to guy for chasing down viruses and phishing issues. Because of that I was able to hand him some easier work for awhile and then setup training for the harder stuff.

As others have stated, my view of the cybersecurity field has been all wanting senior level people at entry level pricing. ...... I'd agree you need IT experience before jumping into the waters, but most programs (at the undergrad level) are balanced thus you are getting a base in technology that would allow you to work in IT to get that experience.

Ultimately, in a perfect world, I'd like to see cybersecurity as a field go in a trade like fashion. You get in, but you're an apprentice....

Excellent points. I recently spoke with a couple IT recruiters we use from time to time, and they indicated in our small city that Cybersecurity positions were numerous, but the pay was pretty entry-level.

I've talked to more than a couple people wanting to get into IT from other careers, and they always indicate that they want to go right into cybersecurity. Yet they have no idea the vast knowledge and experience - nothing they currently have themselves since they don't even work in IT - that these type of roles really demand to be effective.

And years of experience in IT simply isn't enough. I work with a lot of people with years in the IT business, but they never go to school, take vendor training, Google to research an issue, etc. You have to be someone who continually is willing to learn and research, which is where an apprenticeship would help.

Our own IT security team has generally settled with newbies to IT for analysts, and boy it shows. Not that one or two of their techs weren't sharp, but they lacked much real IT experience in networking, or support - even desktop support. So, then we server admins find ourselves doing a lot of the footwork the cybersecurity personnel simply don't know how to do.

..., but I consider Jr level in security be someone who already has IT experience, but less actual security experience. Someone who shows up and says, oh you're looking for vulnerability management, I can learn that! But, if that same person doesn't know enough networking to know how the systems connect, different subnets, etc., doesn't know enough of Windows domains to understand GPOs, patching cycles, reasonable AD, basic hardening, etc. Then they're not as valuable to me as for someone to handle a vuln management type of job.

....

I'm interested in this because I've heard this argument before, so I'm trying to understand what's the cause of this problem and how it can be fixed

So where did the problem happen? Let's explore some possibilities
1) The job description was out of whack, it did not list "know how the systems connect, different subnets, etc., know enough of Windows domains to understand GPOs, patching cycles, reasonable AD, basic hardening"

2) The job description was accurate and listed the required skills but the pay was too low for some with an actual IT experience

3) Your company is in a small location and no one wants to relocate there

4) The basic IT skills you asked for not that basic, and assumed a lot of specific knowledge (Windows AD, GPO..that's a Windows admin, so maybe ask for a Windows Admin? with 2-5 yrs experience?)

I'm just trying to find where the problem is so we can find a solution

A potential solution I can think of....

1) Create an internal process where you allow existing IT staff to cross train in Security, and I'm talking real cross train not a day here or there shadowing, more like 6+ month secondment. It can be cheaper than recruiting a disappointing candidate.

. We have schools pumping out cybersecurity graduates like they're going out of style and yet somehow we are still short. I'd agree you need IT experience before jumping into the waters, but most programs (at the undergrad level) are balanced thus you are getting a base in technology that would allow you to work in IT to get that experience.

.

I really am not a fan of those programs, and I'd rather see them disappear. I'd rather candidates get basic Science degrees and learn critical thinking and other foundation knowledge, and work in IT for at least 5 years.. This may fix a lot of the issues that we see today in weak security teams.

Goal: GCFA (DONE), GPEN (DONE)

"Never stop learning and every time you are doing something mindless...you could be learning something new." Eric Conrad

So you in Cybersecurity, and your company has been trying so hard to find qualified Cybersecurity candidates but without much success. Your company is frustrated by the lack of qualified candidates, and the qualified candidates seem to ask for unrealistic $$$

You even interviewed some candidates and you did not like what you see.

My question is....

1) What skills are you actually looking for? Splunk? Nessus? Risk assessment? Penetration testers with OSCP? Candidates who passed GCFA and can do Memory Forensics?

2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?

3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?

I'm just trying to understand, because I spent time in Systems Engineering and various parts of Security, and I didn't find Cybersecurity particularly harder so I'm trying to identify the source of the problem here.

1. Depends on the position. Your JD is a bit overly broad here. My currently promised a mid to entry level position in 2017, 2018 and again in 2019 with nowhere to even seat the position should I find the perfect candidate. As for skills? Skip the fresh graduate in anything, particularly a tool user with a security degree. Need at least five years of IT experience. Preferably someone coming from a development background rather than another infrastructure person like myself. I need an internal penetration testing and QA person who can go deeper into code than I can. Logs are easy to figure out, its the burn out factor that kills people not the skill. Pay range would be 90-105k. Chicago is expensive but also slowly being crushed by taxes and commute times, still people want to flock here and sit in traffic for hours a day.

As far as talent goes, I don't need another me. Can train anyone to read and develop logs. Boring but doable. Overall detection abilities are through the roof better than say 3-5 years ago (BAD, NBAD in particular). Tools including predictive analysis at the endpoint, network and entry points are providing more and better ACTIONABLE evidence than ever before. You can farm the actual log stuff out to a service cheaper than hiring someone to sit there and learn Spluink as well. The comparison to simply manipulating Splunk logs may soon be a nice double check but frankly, I see much of that primary log analysis going away in favor of having the machines alert on things in real time. SIEM will still be there in the background but more for comparison and compliance. You may be fighting an ever loosing battle with any SIEM technology. Hold on, we'll see. Not convinced either way but running out of fence time on this one.

2. Splunk is easy to pick up at first but requires real effort to master. Putting the cycles in to master the product is not in the cards for most people who work 8-5, go home and never pick up a book. Continuous learning is still a foreign concept to many.

3. Skills are as transferable as willing as the candidate is willing to learn. See number 2, rinse and repeat as needed or farm the tedious stuff out.

In general I see the lack of candidates as being formed by the lack of interest from the talent side. There is no real benefit for talented IT administrators, let alone developers to switch careers for more work and the same or less money than before. Add to that more headaches and more learning curve and you have a recipe for imbalance. Most see no upside other than its an additional challenge to master. Developer types here are paid more than security so my eyebrow rises when I do meet the occasional dev turned InfoSec person. The term 'Cyber' should be left to Government, politicians and schools. I have never meet a serious business person who says 'cyber' worth a conversation but that's just me.

Now, depending on which report you want to subscribe you will also see where determined intrusion attacks are down to 1:8 from 1:3 successful attempts in just the past 18 months. Considerable. That means that security is finally starting to win the war, one slow battle at a time. Given that one stat right there means we will need fewer InfoSec people investigating anything rather than more. The workload is or should be decreasing here.

The US department of labor calls for an additional need of 1.2 million more security people by 2020 - hogwash. Forester, Gartner both state the trend will decrease the number of analysts needed not grow. Unfortunately, these reports are recent and still behind paywalls. Frost and Sullivan recently published survey results of 2000 CISSPs painting a need, from their survey projections, some 2.2 million more security analysts by 2020. Which is great for the ISC(2) as they certify security analysts! Not buying that one either.

If we need 2.2 million more analysts in 2.5 years we will be seeing double digit increases in salary already and your lucky if your seeing anything above 3 percent industry wide. Three percent is still beating the average for all fields nationwide at 2.3 percent according to salary.com, et. al. Again, I don't see it happening. If we were it would be back on the cover of every trade rag going and we'd see the industry setting itself up for another Y2K debacle and no wants to go through that again.

Your next growth industries will be data science/analytics and cloud administration. Technical Security will be absorbed into the whole DevSecOps wave (its coming) or into a more policy and business risk posture. Once again the economics will determine the path the field will take in the future. Techs become to expensive, technology takes over and replaces analysts like forklifts once replaced porters and on and on it goes.

These days, I see late-night cybersecurity degree ads on TV right next to those for trucking and hairdressing schools. I'm not sure what these schools are doing, but they're releasing tons of completely non-qualified candidates with that buzzword on their resume.

As others have said, a decent cybersecurity person has probably worked years in the field and gradually specialized over time. So maybe the solution is to advertise for an experienced sys admin with an interest in security (don't even use the word "cybersecurity") and see what you get.

Your company is frustrated by the lack of qualified candidates, and the qualified candidates seem to ask for unrealistic $$$

I understand what you're going for here, but my company doesn't determine what is realistic - the market does. This is part of the problem and companies need to get this, particularly for more senior positions.

Originally Posted by UnixGuy

Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?

I'm just trying to understand, because I spent time in Systems Engineering and various parts of Security, and I didn't find Cybersecurity particularly harder so I'm trying to identify the source of the problem here.

Had the industry focused more on moving systems/network engineers and software engineers, I think the skills gap would be far smaller than it is today. Instead, companies trying to build out their security programs went after GRC types - folks that fit corporate culture and are more easily understood by the business. Surveys polling CISOs continue to show that senior cyber leadership believe their teams are lacking in skills. But this is what happens when you tie up your resources in administrators that don't have technical skills.

This shouldn't be construed as argument against GRC - but I think that their teams are often too large. Overreaction to regulatory compliance drives a lot of this, I think. As an example, I work for a large financial services firm. A few years ago, we had an audit finding that said we weren't doing enough to make sure our vendors use good security practices. The next day (or so it seemed) we had a team of folks to manage vendor oversight. The number of folks managing vendor questionnaires is now 3 times larger than the number of penetration testers we have.

I think training engineers can definitely help solve the problem, but you have to be able to identify good candidates (as with anything else) and come up with the resources to pay them. Not just any engineer is going to make a good candidate. Offensive security requires a mindset that many engineers just do not have (software engineers, in particular, have a hard time even thinking about making software do things it wasn't designed to do). But they have the years of experience that you just don't get by getting a degree or auditing for 10 years. Knowledge of the underlying technologies is so critical, but it takes time. I say hire more engineers.

This good, developers are a dime a dozen. I'm aware that they don't all want to move security, but it's a start...

Originally Posted by beads

developer types here are paid more than security so my eyebrow rises when I do meet the occasional dev turned InfoSec person

Hmm, that's interesting. I've seen some developers paid more, but I thought security pros are paid more on average...I could be wrong. but I noticed that there is a lot of interest in security, it's the new buzzword cool thing that everyone wants to get into...I'm wondering if it's the area I live in ,but even here in the forums, we get regular questions from people wanting to move to security, so there is interest. They all seem to note how difficult it is to get into security, go figure!

Originally Posted by beads

Your next growth industries will be data science/analytics and cloud administration. Technical Security will be absorbed into the whole DevSecOps wave (its coming) or into a more policy and business risk posture.

I noticed that data science/analytics & cloud administration is the present not the future. I predict the opposite, I think data analytics will become a utility/ ready to use button and cloud administration will keep on getting even simpler than it already is. I also noticed the DevSecOps is the present is as well, not the future. I think more tools will be ready to use in the future with little to no customisation/integration needed..or at least I hope so

excellent points as always beads !

Goal: GCFA (DONE), GPEN (DONE)

"Never stop learning and every time you are doing something mindless...you could be learning something new." Eric Conrad

TechExams.Net is not sponsored by, endorsed
by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®,
CCDA™, CCNA™, CCDP™, CCNP™, CCIE™, CCSI™;
the Cisco Systems logo and the CCIE logo are trademarks or registered
trademarks of Cisco Systems, Inc. in the United States and certain other
countries. All other trademarks, including those of Microsoft, CompTIA, Juniper ISC(2),
and CWNP are trademarks of their respective owners.